What is PHI?

The HIPAA Safe Harbor Rule

In the USA, the 18 categories of PHI are enumerated in the HIPAA Privacy Rule. Here is the relevant section
(45 CFR 164.514b(2), the so-called safe
harbor rule) that defines a set of conditions for establishing
that health information is not individually identifiable (i.e., that it is
de-identified):

(2)(i) The following identifiers of the
individual or of relatives, employers,
or household members of the individual,
are removed:

(A) Names;

(B) All geographic subdivisions
smaller than a State, including street
address, city, county, precinct, zip
code, and their equivalent geocodes,
except for the initial three digits of a
zip code if, according to the current
publicly available data from the Bureau
of the Census:

(1) The geographic unit formed by
combining all zip codes with the same
three initial digits contains more than
20,000 people; and

(2) The initial three digits of a zip
code for all such geographic units containing
20,000 or fewer people is
changed to 000.

(C) All elements of dates (except
year) for dates directly related to an
individual, including birth date, admission
date, discharge date, date of
death; and all ages over 89 and all elements
of dates (including year) indicative
of such age, except that such ages
and elements may be aggregated into a
single category of age 90 or older;

(R) Any other unique identifying
number, characteristic, or code, except
as permitted by paragraph (c) of this
section; and

(ii) The covered entity does not have
actual knowledge that the information
could be used alone or in combination
with other information to identify an
individual who is a subject of the information.

The final point (R) above refers to paragraph (c), which immediately
follows the text quoted above and is reproduced below:

(c) Implementation specifications: reidentification.
A covered entity may assign
a code or other means of record
identification to allow information deidentified
under this section to be reidentified
by the covered entity, provided
that:

(1) Derivation. The code or other
means of record identification is not
derived from or related to information
about the individual and is not otherwise
capable of being translated so as
to identify the individual; and

(2) Security. The covered entity does
not use or disclose the code or other
means of record identification for any
other purpose, and does not disclose
the mechanism for re-identification.

The definition of a covered entity is complex, and interested
readers are referred to the full text of the HIPAA Privacy Rule.
Within the context above, a covered entity is anyone subject to the
laws of the USA who wishes to convey health information to anyone
else.

Other Data Elements Excluded from PhysioNet Data

In addition to the PHI defined by the HIPAA Safe Harbor Rule, PhysioNet does
not distribute data containing any of these elements:

Identifiers (as defined above by the HIPAA Safe Harbor Rule) of any
individual, including those of health professionals and visitors; and

Names of hospitals, clinics, and other care or research facilities
(such as referring hospitals or facilities to which a patient is
discharged) with the exception of the hospital or facility at which
the data were gathered.